Many modern electronic devices, such as mobile phones, cable boxes and other set-top boxes, cable modems, and other devices, are computing devices that perform operations based on software and/or firmware loaded on the device. To prevent malicious code from being run on such devices, authorized code is often digitally signed and/or encrypted before it is loaded onto devices.
Most conventional processes for requesting signing of code images, or requesting performance of other cryptographic and/or digital security operations, require human interaction. For example, when a new code image is compiled, a human user normally needs to log into a separate code signing system, input instructions to transfer the new unsigned code image to the code signing system, and manually request that the code signing system sign the unsigned code image and return a signed version of the code image.
Such systems can cause delay, as human users need to manually request code signing before a signed code image can be generated and loaded onto a device. Code images are often compiled and built automatically at build machines, but there is generally a delay between production of the code image and the time when a human user can request that the code image be signed by the code signing system.
Even if existing systems can be set up to automatically build and submit code images to be signed, there can be a lack of accountability in many such systems. When code signing is requested manually, a user generally needs to log in with his or her user credentials, and the system can track information such as which user logged in, at what time, and what code they submitted for signing. However, many automated systems do not necessarily track this type of information when build servers or other equipment automatically submit code images for signing.
In automated signing systems, if a code image is compiled, submitted, and signed automatically, but is later discovered after signing to have security vulnerabilities, it can be difficult to track down which user introduced the security vulnerabilities since the compiling and signing process proceeded on an automated basis without direct human instruction. For instance, a code image could be compiled and signed automatically, and then loaded onto a target device. It may be discovered at a later time that the code image intentionally or unintentionally allows users to access cryptographic keys and certificates on the target device, such as DTPC-IP keys or other copy protection keys, in violation of licenses or other legal agreements. Because the code compilation and signing occurred automatically without direct human instruction, it can be difficult or impossible in many systems to determine how and/or when the security vulnerabilities were introduced to the code image.
What is needed is a code signing system through which build machines or other equipment can automatically request code signing and other cryptographic and/or digital security operations from the code signing system, without direct human involvement during the request process. The build machine and/or other equipment that submits code to be signed should be configured to maintain audit logs about its process for later reference.